html
Many developers encounter this scenario: You need to send an encrypted message using someone's GPG public key just once, but importing the key permanently into your keyring feels like unnecessary clutter. The standard gpg --import approach leads to keychain pollution, requiring subsequent --delete-keys cleanup.
GPG actually provides two methods for temporary key usage:
# Method 1: Pass the key file directly
gpg --encrypt --recipient-file recipient_pubkey.asc message.txt
# Method 2: Use key content via stdin
cat recipient_pubkey.asc | gpg --encrypt --recipient-file - message.txt
These approaches work with GPG 2.1+ and avoid adding keys to your keyring.
Here's a complete workflow for temporary key usage:
# Download public key from keyserver temporarily
curl -s "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xKEYID" > tempkey.asc
# Encrypt message without importing
gpg --encrypt --recipient-file tempkey.asc \
--output encrypted_message.gpg \
sensitive_document.txt
# Verify encryption worked (without importing)
gpg --decrypt --verify encrypted_message.gpg
# Clean up
rm tempkey.asc
For more complex scenarios:
# Multiple temporary recipients
gpg --encrypt \
--recipient-file alice_pub.asc \
--recipient-file bob_pub.asc \
group_message.txt
# In-memory operation (no temp files)
gpg --encrypt \
--recipient-file <(wget -qO- https://example.com/pgp.asc) \
message.txt
When direct file method isn't available:
# Temporary keyring method
gpg --no-default-keyring --keyring /tmp/tempkeyring.gpg \
--import recipient_pubkey.asc
gpg --no-default-keyring --keyring /tmp/tempkeyring.gpg \
--encrypt --recipient recipient@email.com message.txt
rm /tmp/tempkeyring.gpg
Remember to:
- Verify key fingerprints even for one-time use
- Consider using
--trust-model alwaysfor temporary keys - Clean up temporary files properly
Many developers encounter situations where they need to encrypt a message using someone's GPG public key exactly once - perhaps for a secure bug report submission or a one-time communication. The standard gpg --import followed by --delete-key workflow feels unnecessarily heavy for such ephemeral use cases.
GPG actually provides a streamlined method through its --no-keyring option combined with direct key specification:
echo "Secret message" | gpg --encrypt --recipient "user@domain.com" \
--no-keyring --keyring /dev/null \
--armor > message.asc
This approach:
- Never touches your keyring
- Works with keys fetched from keyservers or provided as files
- Maintains full encryption security
1. Encrypting with a Key from Keyserver
gpg --keyserver hkps://keys.openpgp.org \
--recv-keys 0xDEADBEEF12345678 \
--no-keyring --keyring /dev/null \
&& echo "Data" | gpg --encrypt \
--recipient 0xDEADBEEF12345678 \
--armor
2. Using a Public Key File Directly
# First extract the key ID (needed for recipient specification)
KEYID=$(gpg --with-colons --import-options show-only --import publickey.asc | \
awk -F: '/^pub:/ {print $5}')
echo "Confidential" | gpg --encrypt \
--recipient $KEYID \
--no-keyring --keyring /dev/null \
--armor
While convenient, this method does require GPG to rebuild its trust database each time. For batch processing many messages, importing once might be more efficient. But for one-off cases, the overhead is negligible.
This workflow actually enhances security in some ways:
- No persistent storage of others' public keys
- Reduces attack surface from compromised keyrings
- Prevents accidental future use of outdated keys
For more complex scenarios requiring multiple keys, create a temporary keyring:
TMP_KEYRING=$(mktemp)
gpg --no-default-keyring --keyring $TMP_KEYRING \
--import publickey.asc
# Perform encryption operations
rm $TMP_KEYRING